CVE-2023-36812
Published: 30 June 2023
Summary
CVE-2023-36812 is a critical-severity Injection (CWE-74) vulnerability in Opentsdb Opentsdb. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
OpenTSDB, an open source distributed time series database, contains a remote code execution vulnerability tracked as CVE-2023-36812. The flaw arises when user-controlled input is written into a Gnuplot configuration file that is subsequently executed by the Gnuplot binary, enabling arbitrary command execution. The issue is rated 9.8 on CVSS 3.1 and is classified under CWE-74 (Injection). It was addressed in release 2.4.2 through commits 07c4641471c and fa88d3e4b.
Unauthenticated attackers with network access can exploit the vulnerability without user interaction to obtain full control over the affected OpenTSDB instance, including the ability to execute arbitrary commands on the underlying host. The attack surface is exposed whenever the Gnuplot integration is reachable, which occurs by default in vulnerable configurations.
Public advisories and the project repository recommend upgrading to version 2.4.2. Where immediate upgrade is not feasible, operators can set tsd.core.enable_ui to true and delete the mygnuplot.bat and mygnuplot.sh shell scripts to disable the affected code path. The current EPSS score of 0.8429 with a recorded peak of 0.8559 indicates sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1721
Vulnerability details
OpenTSDB is a open source, distributed, scalable Time Series Database (TSDB). OpenTSDB is vulnerable to Remote Code Execution vulnerability by writing user-controlled input to Gnuplot configuration file and running Gnuplot with the generated configuration. This issue has been patched in…
more
commit `07c4641471c` and further refined in commit `fa88d3e4b`. These patches are available in the `2.4.2` release. Users are advised to upgrade. User unable to upgrade may disable Gunuplot via the config option`tsd.core.enable_ui = true` and remove the shell files `mygnuplot.bat` and `mygnuplot.sh`.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.